Following the recent nonsense over the Firefox Myths web page, it’s interesting to see in Information Week that more data has come to light about spyware and browsers.

Researchers at the University of Washington have been looking at the prevalence of spyware on the web, and in the process they did a side by side comparison of spyware attacks on IE and Firefox. The original paper can be found (956KB PDF) over on co-author Steve Gribble’s web page.

Summary

To study drive-by installations of spyware using the Internet Explorer browser on Windows, we performed a crawl of 45,000 URLs in May and two crawls of 45,000 URLs in October 2005 … Once a user browses an infectious domain, they are very likely to be hit with a spyware infection, often whether or not they respond â€œyesâ€ to a security prompt. Overall, in our most recent crawl, we found drive-by downloads attempted in 0.4% of the URLs we examined and drive-by attacks that exploit browser vulnerabilities in 0.2% of the examined URLs.

We also examined whether the Firefox browser was susceptible to drive-by installations. We found that only 0.08% of examined URLs performed a drive-by download installation, but all of these required user consent in order to succeed. We found no drive-by attacks that exploited vulnerabilities in Firefox.

Conclusion

“We can’t say whether Firefox is a safer browser or not,” said Henry Levy, one of the two University of Washington professors who, along with a pair of graduate students, created Web crawlers to scour the Internet for spyware in several 2005 forays. “But we can say that users will have a safer experience [surfing] with Firefox.”

So both browsers on unpatched systems are vulnerable to spyware attacks and users should never assume that they are totally safe with any browser. For whatever reason, Internet Explorer does appear to be more vulnerable to attack than Firefox. Particularly alarming for IE users is the finding that spyware can still install even if the user responds “No” to the security prompt.

At the same time the study doesn’t take into account that IE7 is currently in Beta and for all I know about it many of the vulnerabilities in IE6 may no longer be a concern in the new version.

This entry was posted
on Friday, February 10th, 2006 at 1:16 pm.
This page is no longer maintained and the information above is probably out of date.